Brain-actuated control authenticated key exchange

ABSTRACT

A method includes extracting, by a computing system, movement intentions of an individual from neural signals; mapping, by a secure element of the computing system, the movement intentions to a character string; and generating, by the computing system, a symmetric encryption key using the character string as an input to a key exchange protocol.

CROSS REFERNCES

The present application is a continuation of U.S. patent applicationSer. No. 17/244,295, entitled “BRAIN-ACTUATED CONTROL AUTHENTICATED KEYEXCHANGE,” filed Apr. 29, 2021, which is a continuation of U.S. Pat. No.10,999,066, entitled “BRAIN-ACTUATED CONTROL AUTHENTICATED KEYEXCHANGE,” filed Sep. 4, 2018, the entire contents of which areincorporated herein and for all purposes.

BACKGROUND

Access control systems may use one or more authentication factors toverify an individual's identity. For example, authentication factors mayinclude “something-you-know,” “something-you-have,” and“something-you-are.” Some access control systems may require elementsfrom two or three of these categories to provide two- or three-factorauthentication.

A brain-computer interface (“BCI”) is a direct communication pathwaybetween an individual's brain and an external device, such as amotorized wheelchair or a prosthetic limb, that enables signals from thebrain to control the device. An individual's intentions are extractedfrom data collected using BCI techniques, such as usingelectroencephalograph (“EEG”) sensors either remotely applied ordirectly attached to an individual.

Password Authenticated Key Exchange (“PAKE”) is a protocol that ensuresmutual authentication of at least two parties in the act of establishinga symmetric cryptographic key via a Diffie-Hellman key exchange. The useof Diffie-Hellman exchange ensures forward secrecy, which is a propertyof a key establishment protocol that guarantees that compromise of asession key or long-term private key after a given session does notcause the compromise of any earlier session. With PAKE, theauthentication credential exchange is protected from man-in-the-middleand phishing attacks. Authentication using PAKE relies on a pre-sharedweak secret (e.g., password), which is protected from (e.g., remainsunrevealed to) an eavesdropper, thereby preventing an off-linedictionary attack. Therefore, PAKE allows remote communicating partiesto establish a secure communication channel without the need to rely onany external trusted parties.

SUMMARY

Various embodiments relate to methods for mutual authentication using abrain-actuated control authentication key exchange (“BACAKE”) system. Anexample method includes receiving neural signals from a BCI coupled toan individual. Physical movement intentions of the individual areextracted from the neural signals. The physical movement intentions aremapped to a character string representing a knowledge factor. A secure,mutually authenticated communication channel is established between theBACAKE computing system and a provider computing system by using theknowledge factor as an input to a PAKE protocol.

Various other embodiments relate to a system for mutual authenticationusing a BACAKE computing system. An example system includes a featureextraction circuit configured to extract physical movement intentions ofan individual from neural signals received from a BCI coupled to theindividual. A mapping circuit is structured to map the physical movementintentions to a character string representing a knowledge factor. A PAKEcircuit is structured to establish a secure, mutually authenticatedcommunication channel between the BACAKE computing system and a providercomputing system by using the knowledge factor as an input to a PAKEprotocol.

It should be appreciated that all combinations of the foregoing conceptsand additional concepts discussed in greater detail below (provided suchconcepts are not mutually inconsistent) are contemplated as being partof the inventive subject matter disclosed herein. In particular, allcombinations of claimed subject matter appearing at the end of thisdisclosure are contemplated as being part of the inventive subjectmatter disclosed herein.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other features of the present disclosure will becomemore fully apparent from the following description and appended claims,taken in conjunction with the accompanying drawings. Understanding thatthese drawings depict only several implementations in accordance withthe disclosure and are, therefore, not to be considered limiting of itsscope, the disclosure will be described with additional specificity anddetail through use of the accompanying drawings.

FIG. 1 is a functional block diagram of a BACAKE authentication system,according to an example embodiment.

FIG. 2 is a schematic block diagram of the BACAKE authentication systemof FIG. 1 , according to an example embodiment.

Reference is made to the accompanying drawings throughout the followingdetailed description. In the drawings, similar symbols typicallyidentify similar components, unless context dictates otherwise. Theillustrative implementations described in the detailed description,drawings, and claims are not meant to be limiting. Other implementationsmay be utilized, and other changes may be made, without departing fromthe spirit or scope of the subject matter presented here. It will bereadily understood that the aspects of the present disclosure, asgenerally described herein and illustrated in the figures, can bearranged, substituted, combined, and designed in a wide variety ofdifferent configurations, all of which are explicitly contemplated andmade part of this disclosure.

DETAILED DESCRIPTION

Researchers have shown that noninvasively recorded electric brainactivity can be used to voluntarily control switches and communicationchannels. Use of brain-actuated techniques can provide near-totallyparalyzed individuals the ability to communicate using brain-actuatedcontrol (“BAC”). Neural data signals (e.g., EEG data) collected from ahuman brain through a scalp sensor array can be filtered to reduce noiseand can be further decomposed into discrete, independent components.

Large EEG components that account for muscle or eye movements can bedifferentiated and grouped. This sorting process can be based on whichscalp sensors detect such movements and on their relative signalstrength and timing following a stimulus event. These components allowthe intentions of an individual to be distinguished from one another andused as the basis for selecting between control choice alternatives,such as choosing between left and right.

EEG signals can be fed into a BCI to enhance the individual's ability tointeract with the environment via a computer and through the use of onlythought. BAC techniques allow the use of brain signals to makedecisions, control objects, and communicate with the world using brainintegration with peripheral devices and systems. For example, EEGsignals representing thoughts of an individual imagining they are movingan object can be filtered and modeled using neural networks to classifythe imaginary motions performed by the individual. These brain signalsindicate the intent of the individual to perform some real act, such asmoving their left hand or right foot. The individual's intended motionscan be executed using physical devices through BCI-activated controls.

Various embodiments relate to a BACAKE system structured to facilitatestrong, multi-factor and mutual authentication of an individual to aprovider computing system via a BCI. The BACAKE system enables identityauthentication and secure communication by leveraging the inventor'srealization that human intentions manifested as electrical signals thatemanate from the human brain can be treated as something-you-knowauthenticators. The BACAKE system relies on knowledge in the form of anindividual's “intentions” mapped to “weak secrets” shared bycommunicating parties (e.g., the individual and the authenticationsystem or access control system). The individual's intentions areextracted from data collected via a BCI. The collected intentions arethen mapped to password substitution strings and used as a knowledgeinput (a “something-you-know” factor) to a PAKE protocol to facilitatemutual authentication. For example, collected intentions can include aseries of hand gestures or dance steps that an individual utilizes as aproxy for a password.

The combination of knowledge-based cryptographic techniques with signalscapable of noninvasive BAC of user interface or locomotive devices canallow motor-limited and locked-in individuals to securely authenticatetheir identities to a provider system and establish a secure channel forsubsequent communications (e.g., to access healthcare or financialservices).

According to an example embodiment, the BAKAKE system facilitatesmulti-factor and mutual authentication of an individual to a providercomputing system via a brain-computer interface as follows. Neuralsignals are received from a brain-computer interface coupled to anindividual. Physical movement intentions of the individual are extractedfrom the neural signals. The physical movement intentions are mapped toa character string representing a knowledge factor. A secure, mutuallyauthenticated communication channel is established between the BACAKEcomputing system and a provider computing system by using encryptionwith a cryptographic key derived from the knowledge factor as an inputto a PAKE protocol.

According to an example embodiment, the generating, by the BACAKEcomputing system establishes mutual authentication with the providersystem as follows. A symmetric encryption key is generated using theknowledge factor as an input to a key exchange protocol. The BACAKEsystem encrypts a challenge question using the symmetric encryption key.The encrypted challenge question and a cleartext identifier of theindividual are transmitted to the provider computing system. Theprovider computing system is configured to authenticate the individualusing the encrypted challenge question and the cleartext identifier ofthe individual. In some embodiments, the BACAKE computing system alsoencrypts credentials of the individual (e.g., the knowledge factor)using the symmetric encryption key, and transmits to the providercomputing system the encrypted credentials.

The provider computing system authenticates the individual as follows. Astored copy of the knowledge factor is retrieved based on the cleartextidentifier of the individual. The symmetric key is derived using theknowledge factor as an input to the key exchange protocol. The encryptedchallenge question is decrypted using the symmetric key, and a challengeresponse to the challenge question is prepared. The challenge responseis encrypted using the symmetric key and is transmitted to theindividual via the BACAKE computing system. In some embodiments, theencrypted credentials of the individual include the encrypted knowledgefactor. In such embodiments, the provider computing system also decryptsthe encrypted knowledge factor and verifies that the decrypted knowledgefactor received from the BACAKE computing system matches the retrievedstored copy of the knowledge factor so as to provide an additional levelof authentication.

The BACAKE computing system receives the encrypted challenge responsefrom the provider computing system, and decrypts the encrypted challengeresponse using the symmetric encryption key. The decrypted challengeresponse is verified so as to authenticate the provider computingsystem.

In some embodiments, the BACAKE computing system is configured tofacilitate multi-factor authentication of the individual. For example,some embodiments facilitate authentication via a biometric (a“something-you-are”) authentication factor. For example, in oneembodiment, a biometric sample captured from the individual is encryptedusing the symmetric encryption key and is transmitted to the providercomputing system. The provider computing system decrypts the encryptedbiometric sample and matches the decrypted biometric sample with abiometric reference template associated with the individual so as toprovide two-factor authentication of the individual. In someembodiments, the biometric sample is captured from the neural signals.In other embodiments, the biometric sample is captured from a biometricsensor.

In some embodiments, the BACAKE computing system is also configured tofacilitate multi-factor authentication of the individual using apossession (a “something-you-have”) authentication factor. For example,in some embodiments, the possession factor is a unique identifier storedsecurely in hardware registered with the provider computing system asbelonging to the individual. For example, the unique identifier may bean identifier of the BCI device. Similar to the other authenticationfactors described herein, the unique identifier is encrypted using thesymmetric encryption key before being transmitted to the providercomputing system. This additional authentication factor can be usedinstead of or in addition to other authentication factors.

The BACAKE system solves various technical problems associated withauthentication systems. For example, one challenge with BCI systems isestablishing secure access between the individual and the device. Forexample, a hacker may attempt to transmit malicious control signals tothe device actuators in order to cause the device to behave in a mannerunintended by the individual. Similarly, a hacker may intercept andmanipulate signals between the BCI and the device. Potential riskexposure is amplified if the device is remote from the individual orbeing remotely managed from an external control device, such as a devicemanaged from a cloud system as an internet-of-things (“IoT”) device. TheBACAKE system enables the individual and a remote computing system tomutually authenticate each other and establish a secure channel forcommunication.

FIG. 1 is a functional block diagram of a BACAKE authentication system100, according to an example embodiment. The BACAKE authenticationsystem 100 includes an individual 102, a physical assistance device 104,a BCI 106, a BACAKE computing system 108, and a provider computingsystem 110. The BACAKE authentication system 100 is configured tofacilitate mutual authentication between the individual 102 and theprovider computing system 110 by mapping neural signals from theindividual 102 to character string representing a knowledge factor,which is used as an input to a PAKE protocol.

At 112, neural signals representing the individual's 102 intentions arecaptured from the individual 102 by the BCI 106. The BCI 106 analyzesand processes the received neural signals to generate control signalsrepresenting the individual's 102 intentions.

According to various embodiments, it should be understood that as aprerequisite to 112, the individual 102 must first enroll the knowledgefactor with the provider computing system 110. For example, according toan embodiment, enrollment includes the individual 102 repeating his orher desired intentions (e.g., a certain pattern of movement) asufficient number of times such that the BACAKE computing system 108 canreliably detect the desired intentions. The desired intentions arecaptured by the BACAKE computing system 108 and converted to the samecharacter string for use in subsequent authentication attempts. In someembodiments, enrollment is completed remotely if the user credentials(e.g., the weak secret) can be transferred securely to the providercomputing system 110 (e.g., using the provider computing system 110'spublic key to encrypt the user credentials).

At 114, the BCI 106 transmits the control signals representingindividual's 102 intentions to the BACAKE computing system 108. TheBACAKE computing system 108 maps the control signals representingindividual's 102 intentions to a character string representing aknowledge factor. The BACAKE computing system 108 generates a symmetricencryption key using the knowledge factor as an input to a key exchangeprotocol (e.g., Diffie-Hellman). The BACAKE computing system 108encrypts credentials of the individual 102 and a challenge questionusing the symmetric encryption key.

At 116, the encrypted credentials, the encrypted challenge question, anda cleartext identifier of the individual 102 are transmitted from theBACAKE computing system 108 to the provider computing system 110. Theprovider computing system 110 retrieves a stored copy of the knowledgefactor based on the cleartext identifier of the individual 102. Theprovider computing system 110 derives the symmetric key using theknowledge factor as an input to the key exchange protocol. The providercomputing system 110 decrypts the encrypted credentials using thesymmetric key and verifies the credentials. The individual 102 isauthenticated by the provider computing system 110 in response to theprovider computing system 110 (1) successfully decrypting the encryptedcredentials (indicating that the correct weak password was used togenerate the symmetric encryption key); and (2) verifying that thecredentials match previously-enrolled credentials associated with theidentifier of the individual 102. The provider computing system 110 alsodecrypts the encrypted challenge question, formulates a responsethereto, and encrypts the response using the symmetric key. In someembodiments, the response includes what the individual 102 sent as achallenge. The response message may be structured differently or mayotherwise include other information so that the response message isdifferent than the message sent to the provider computing system 110including the encrypted challenge question.

At 118, the encrypted response to the challenge question is transmittedfrom the provider computing system 110 to the BACAKE computing system108. The BACAKE computing system 108 decrypts the encrypted challengeresponse using the symmetric encryption key and verifies that thechallenge response matches an expected challenge response. The providercomputing system 110 is authenticated by the individual 102 in responseto the individual 102 verifying that the challenge response matches theexpected challenge response.

At 120, the BACAKE computing system 108 transmits response controlsignals to the BCI 106. The BACAKE computing system 108 generates theresponse control signals for use by the BCI 106 to facilitateverification that the challenge response matches the expected challengeresponse.

At 122, neural signals representing the challenge response aretransmitted from the BCI 106 to the individual 102. The BCI 106generates the neural signals based on the response control signalsreceived at 120. The individual 102 verifies whether the responsematches the expected challenge response. For example, the neural signalsmay cause the individual 102 to visualize an image or may incite anintention to move physically in a particular manner. In response toverifying the challenge response, the individual 102 transmits averification indication to the BCI 106. The provider computing system110 is authenticated by the individual 102 in response to the individual102 verifying that the challenge response matches the expected challengeresponse.

FIG. 2 is a schematic block diagram of the BACAKE authentication system100 of FIG. 1 , according to an example embodiment. As shown in FIG. 1 ,the BACAKE authentication system 100 includes the individual 102, thephysical assistance device 104, the BCI 106, the BACAKE computing system108, and the provider computing system 110. The various systems anddevices are operatively and communicatively coupled through a network111, which may include one or more of the Internet, cellular network,Wi-Fi, Wi-Max, a proprietary banking network, or any other type of wiredor wireless network or a combination of wired and wireless networks.

The individual 102 is any person who desires to establish a secure,mutually authenticated communication channel with a remote computingsystem, such as the provider computing system 110. The individual 102may, but need not be disabled in some manner. For example, theindividual 102 may be paralyzed and may not be capable of typing on akeyboard or touch screen device. In other embodiments, the BACAKEcomputing system 108 is utilized in connection with operation of adevice that does not facilitate conventional data entry, such as avirtual reality (“VR”) or augmented reality (“AR”) headset. The BACAKEauthentication system 100 enables the individual 102 to mutuallyauthenticate with the provider computing system 110 using theindividual's intentions (e.g., an intended pattern of motion) as aknowledge factor that is inputted into a PAKE protocol.

The physical assistance device 104 is any device that assists theindividual 102 in his or her daily life. For example, the physicalassistance device 104 may be a wheelchair, prosthetic device,exoskeleton, or other type of device. In some embodiments, the physicalassistance device 104 includes a controller that controls its operation.In certain embodiments, the controller is in operative communicationwith the provider computing system 110, which transmits operationalcommands to the physical assistance device 104 to cause the physicalassistance device 104 to perform a desired operation. In someembodiments, the BACAKE authentication system 100 includes a mentalassistance device rather than the physical assistance device 104. Forexample, in some embodiments, an AR or VR device is used instead of thephysical assistance device 104.

In some embodiments, the physical assistance device 104 includes othertypes of sensors, such as biometric sensors (e.g., fingerprint, voice,and retina sensors), motion detection sensors, and other types ofsensors configured to capture an input from the individual 102. In someembodiments, the physical assistance device 104 also includes an outputdevice, such as a speaker, a vibration device, etc. configured toprovide feedback to the individual 102 and/or to cause movement of theindividual 102.

The BCI 106 is operatively coupled to the individual 102. For example,in some embodiments, the BCI 106 includes an array of sensors (e.g., EEGsensors) embedded in a hat-like object that the individual 102 can wearon his or her head. In other embodiments, the BCI 106 is remote from theindividual 102 and detects remotely input from the individual 102. TheBCI 106 is configured to provide a direct communication pathway betweenthe individual's 102 brain and an external device (e.g., the physicalassistance device 104 via operative communication with the BACAKEcomputing system 108) that enables signals from the brain to control thedevice. The individual's 102 intentions are extracted from datacollected using BCI techniques, such as using EEG sensors.

The BACAKE computing system 108 includes a network interface circuit124, a feature extraction circuit 126, a mapping circuit 128, a PAKEcircuit 130, a biometric circuit 132, and a device control circuit 134.In some embodiments, the BACAKE computing system 108 is integrated intothe BCI 106. In other embodiments, the BACAKE computing system 108 isintegrated with or coupled to the physical assistance device 104. Insome embodiments, the BACAKE computing system 108 is implemented via anapplication on a mobile computing device.

The network interface circuit 124 includes, for example, hardware andassociated program logic that connects the BACAKE computing system 108to the network 111 to facilitate operative communication with the BCI106 and the provider computing system 110. The network interface circuit124 may facilitate communication using any combination of wired and/orwireless connections. For example, in one embodiment, the networkinterface 124 is connected to the BCI 106 via a wired connection.

The feature extraction circuit 126 is configured to extract theindividual's 102 intentions from the neural signals received from theBCI 106. In some embodiments, the feature extraction circuit 126 isfirst “trained” by measuring the neural response of an individualimagining certain physical movements or images. The neural response ischaracterized based on multiple neural signal samples to identify theparticular characteristics of the neural signals associated with thatparticular physical movement or intention of the individual 102.

The mapping circuit 128 is configured to map the individual's 102intentions to a character string.

The PAKE circuit 130 is configured to generate encryption keys, encryptinformation, and decrypt information, as set forth herein, in order tofacilitate mutual authentication with the provider computing system 110.

The biometric circuit 132 is structured to receive biometric samplesacquired from the individual 102. In some embodiments, the biometriccircuit receives the biometric samples from a biometric sensor (e.g.,fingerprint scanner, microphone, camera, etc.). In other embodiments,the biometric circuit 132 is configured to extract biometric samplesfrom the neural signals captured by the BCI 106.

The device control circuit 134 is structured to controllably enable anddisable operation of the physical assistance device 104. For example, insome embodiments, the device control circuit 134 defaults to a disabledcondition and enables operation of the physical assistance device onlyin response to establishing a secure communication channel between theBACAKE computing system 108 and the provider computing system 110. Thedevice control circuit 134 prevents malicious actors from obtainingunauthorized control of the physical assistance device 102.

The provider computing system 110 includes a user account database 136,a network interface circuit 138, a PAKE circuit 140, a biometricmatching circuit 142, and a device control circuit 144.

The user account database 136 includes various information associatedwith individuals who have established accounts with the providercomputing system 110. For example, the individual 102 may create anaccount with the provider computing system 110 and establishcredentials, such as a unique user identifier (e.g., username) andpassword. The user account database 136 stores the user identifier and ahash of the password in the user account database 136. The user accountdatabase 136 can also store a biometric reference template associatedwith the user identifier of the individual 102 that is generated whenthe individual 102 enrolls in biometric authentication with the providercomputing system 110.

The network interface circuit 138 includes, for example, hardware andassociated program logic that connects the provider computing system 110to the network 111 to facilitate operative communication with the BACAKEcomputing system 110.

The PAKE circuit 140 is configured to generate encryption keys, encryptinformation, and decrypt information, as set forth herein, in order tofacilitate mutual authentication with the BACAKE computing system 108.

The biometric matching circuit 142 compares one or more biometricsamples received from the BACAKE computing system 108 to storedbiometric reference templates using a biometric matching algorithm todetermine if the biometric samples match the biometric referencetemplate associated with the identifier of individual from which thebiometric samples were retrieved. If the biometric sample matches thereference template, then biometric authentication is established. If thebiometric sample does not match the reference template, then biometricauthentication is not established.

The device control circuit 144 is structured to transmit control signalsto the physical assistance device 104 in certain embodiments. Forexample, in some embodiments, the device control circuit 144 controlsall or part of the operation of the physical assistance device 104. Inthese embodiments, it becomes apparent how critical it is to establishmutual authentication between the individual 102 and the providercomputing system 110 in order to prevent a malicious actor fromcontrolling the physical assistance device 104 in an unauthorizedmanner.

The embodiments described herein have been described with reference todrawings. The drawings illustrate certain details of specificembodiments that implement the systems, methods and programs describedherein. However, describing the embodiments with drawings should not beconstrued as imposing on the disclosure any limitations that may bepresent in the drawings.

It should be understood that no claim element herein is to be construedunder the provisions of 35 U.S.C. § 112(f), unless the element isexpressly recited using the phrase “means for.”

As used herein, the term “circuit” may include hardware structured toexecute the functions described herein. In some embodiments, eachrespective “circuit” may include machine-readable media for configuringthe hardware to execute the functions described herein. The circuit maybe embodied as one or more circuitry components including, but notlimited to, processing circuitry, network interfaces, peripheraldevices, input devices, output devices, sensors, etc. In someembodiments, a circuit may take the form of one or more analog circuits,electronic circuits (e.g., integrated circuits (IC), discrete circuits,system on a chip (SOCs) circuits, etc.), telecommunication circuits,hybrid circuits, and any other type of “circuit.” In this regard, the“circuit” may include any type of component for accomplishing orfacilitating achievement of the operations described herein. Forexample, a circuit as described herein may include one or moretransistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR,etc.), resistors, multiplexers, registers, capacitors, inductors,diodes, wiring, and so on).

The “circuit” may also include one or more processors communicativelycoupled to one or more memory or memory devices. In this regard, the oneor more processors may execute instructions stored in the memory or mayexecute instructions otherwise accessible to the one or more processors.In some embodiments, the one or more processors may be embodied invarious ways. The one or more processors may be constructed in a mannersufficient to perform at least the operations described herein. In someembodiments, the one or more processors may be shared by multiplecircuits (e.g., circuit A and circuit B may comprise or otherwise sharethe same processor which, in some example embodiments, may executeinstructions stored, or otherwise accessed, via different areas ofmemory). Alternatively or additionally, the one or more processors maybe structured to perform or otherwise execute certain operationsindependent of one or more co-processors. In other example embodiments,two or more processors may be coupled via a bus to enable independent,parallel, pipelined, or multi-threaded instruction execution. Eachprocessor may be implemented as one or more general-purpose processors,application specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), digital signal processors (DSPs), or other suitableelectronic data processing components structured to execute instructionsprovided by memory. The one or more processors may take the form of asingle core processor, multi-core processor (e.g., a dual coreprocessor, triple core processor, quad core processor, etc.),microprocessor, etc. In some embodiments, the one or more processors maybe external to the apparatus, for example the one or more processors maybe a remote processor (e.g., a cloud based processor). Alternatively oradditionally, the one or more processors may be internal and/or local tothe apparatus. In this regard, a given circuit or components thereof maybe disposed locally (e.g., as part of a local server, a local computingsystem, etc.) or remotely (e.g., as part of a remote server such as acloud based server). To that end, a “circuit” as described herein mayinclude components that are distributed across one or more locations.

An exemplary system for implementing the overall system or portions ofthe embodiments might include a general purpose computing computers inthe form of computers, including a processing unit, a system memory, anda system bus that couples various system components including the systemmemory to the processing unit. Each memory device may includenon-transient volatile storage media, non-volatile storage media,non-transitory storage media (e.g., one or more volatile and/ornon-volatile memories), a distributed ledger (e.g., a blockchain), etc.In some embodiments, the non-volatile media may take the form of ROM,flash memory (e.g., flash memory such as NAND, 3D NAND, NOR, 3D NOR,etc.), EEPROM, MRAM, magnetic storage, hard discs, optical discs, etc.In other embodiments, the volatile storage media may take the form ofRAM, TRAM, ZRAM, etc. Combinations of the above are also included withinthe scope of machine-readable media. In this regard, machine-executableinstructions comprise, for example, instructions and data which cause ageneral purpose computer, special purpose computer, or special purposeprocessing machines to perform a certain function or group of functions.Each respective memory device may be operable to maintain or otherwisestore information relating to the operations performed by one or moreassociated circuits, including processor instructions and related data(e.g., database components, object code components, script components,etc.), in accordance with the example embodiments described herein.

It should also be noted that the term “input devices,” as describedherein, may include any type of input device including, but not limitedto, a keyboard, a keypad, a mouse, joystick or other input devicesperforming a similar function. Comparatively, the term “output device,”as described herein, may include any type of output device including,but not limited to, a computer monitor, printer, facsimile machine, orother output devices performing a similar function.

It should be noted that although the diagrams herein may show a specificorder and composition of method steps, it is understood that the orderof these steps may differ from what is depicted. For example, two ormore steps may be performed concurrently or with partial concurrence.Also, some method steps that are performed as discrete steps may becombined, steps being performed as a combined step may be separated intodiscrete steps, the sequence of certain processes may be reversed orotherwise varied, and the nature or number of discrete processes may bealtered or varied. The order or sequence of any element or apparatus maybe varied or substituted according to alternative embodiments.Accordingly, all such modifications are intended to be included withinthe scope of the present disclosure as defined in the appended claims.Such variations will depend on the machine-readable media and hardwaresystems chosen and on designer choice. It is understood that all suchvariations are within the scope of the disclosure. Likewise, softwareand web implementations of the present disclosure could be accomplishedwith standard programming techniques with rule based logic and otherlogic to accomplish the various database searching steps, correlationsteps, comparison steps and decision steps.

The foregoing description of embodiments has been presented for purposesof illustration and description. It is not intended to be exhaustive orto limit the disclosure to the precise form disclosed, and modificationsand variations are possible in light of the above teachings or may beacquired from this disclosure. The embodiments were chosen and describedin order to explain the principals of the disclosure and its practicalapplication to enable one skilled in the art to utilize the variousembodiments and with various modifications as are suited to theparticular use contemplated. Other substitutions, modifications, changesand omissions may be made in the design, operating conditions andarrangement of the embodiments without departing from the scope of thepresent disclosure as expressed in the appended claims.

What is claimed is:
 1. A method comprising: extracting, by a computingsystem, movement intentions of an individual from neural signals;mapping, by a secure element of the computing system, the movementintentions to a character string; and generating, by the computingsystem, a symmetric encryption key using the character string as aninput to a key exchange protocol.
 2. The method of claim 1, furthercomprising: receiving, by the computing system, a biometric samplecaptured from the individual; encrypting, by the computing system, thebiometric sample using the symmetric encryption key; and transmitting,by the computing system, the encrypted biometric sample to a providercomputing system, the provider computing system configured to decryptthe encrypted biometric sample and match the decrypted biometric samplewith a biometric reference template associated with the individual so asto provide two-factor authentication of the individual.
 3. The method ofclaim 1, further comprising: establishing, by the computing system, anauthenticated communication channel between the computing system and aprovider computing system by using the character string as an input to apassword authenticated key exchange protocol.
 4. The method of claim 3,wherein the establishing the authenticated communication channelcomprises: encrypting, by the computing system, credentials of theindividual and a challenge question using the symmetric encryption key;transmitting, by the computing system, the encrypted credentials, theencrypted challenge question, and a cleartext identifier of theindividual to the provider computing system, the provider computingsystem configured to authenticate the individual using the encryptedcredentials, the encrypted challenge question, and the cleartextidentifier of the individual; retrieving, by the computing system, anencrypted challenge response; decrypting, by the computing system, theencrypted challenge response using the symmetric encryption key; andverifying, by the computing system, the decrypted challenge response soas to authenticate the provider computing system.
 5. The method of claim4, further comprising: encrypting, by the computing system, a uniqueidentifier of a brain-computer interface coupled to the individual usingthe symmetric encryption key; and transmitting, by the computing system,the encrypted unique identifier to the provider computing system, theprovider computing system configured to decrypt the encrypted uniqueidentifier and verify that the decrypted unique identifier matches astored unique identifier associated with the cleartext identifier of theindividual so as to provide two-factor authentication of the individual.6. The method of claim 1, further comprising: extracting, by thecomputing system, a biometric sample from the neural signals;encrypting, by the computing system, the biometric sample using thesymmetric encryption key; and transmitting, by the computing system, theencrypted biometric sample to a provider computing system, the providercomputing system configured to decrypt the encrypted biometric sampleand match the decrypted biometric sample with a biometric referencetemplate associated with the individual so as to provide two-factorauthentication of the individual.
 7. The method of claim 6, furthercomprising: disabling, by the computing system, operation of a deviceoperatively coupled to the computing system; and enabling, by thecomputing system, operation of the device in response to theauthenticating of the provider computing system.
 8. A system comprising:a computing system comprising: a feature extraction circuit configuredto extract movement intentions of an individual from neural signals; amapping circuit structured to map the movement intentions to a characterstring; and a password authenticated key exchange circuit structured to:generate a symmetric encryption key using the character string as aninput to a key exchange protocol.
 9. The system of claim 8, furthercomprising a biometric circuit configured to receive a biometric samplecaptured from the individual, wherein the password authenticated keyexchange circuit is further configured to: encrypt the biometric sampleusing the symmetric encryption key; and transmit the encrypted biometricsample to a provider computing system, the provider computing systemconfigured to decrypt the encrypted biometric sample and match thedecrypted biometric sample with a biometric reference templateassociated with the individual so as to provide two-factorauthentication of the individual.
 10. The system of claim 9, wherein thebiometric sample is extracted from the neural signals.
 11. The system ofclaim 8, wherein the password authenticated key exchange circuit isfurther structured to: establish an authenticated communication channelbetween the computing system and a provider computing system by usingthe character string as an input to a password authenticated keyexchange protocol.
 12. The system of claim 11, wherein the passwordauthenticated key exchange circuit is further structured to: encryptcredentials of the individual and a challenge question using thesymmetric encryption key; transmit the encrypted credentials, theencrypted challenge question, and a cleartext identifier of theindividual to the provider computing system, the provider computingsystem configured to authenticate the individual using the encryptedcredentials, the encrypted challenge question, and the cleartextidentifier of the individual; retrieve an encrypted challenge response;decrypt the encrypted challenge response using the symmetric encryptionkey; verify the decrypted challenge response so as to authenticate theprovider computing system; and establish the authenticated communicationchannel with the provider computing system in response to verifying thedecrypted challenge response.
 13. The system of claim 12, wherein thepassword authenticated key exchange circuit is further configured to:encrypt a unique identifier of a brain-computer interface using thesymmetric encryption key; and transmit the encrypted unique identifierto the provider computing system, the provider computing systemconfigured to decrypt the encrypted unique identifier and verify thatthe decrypted unique identifier matches a stored unique identifierassociated with the cleartext identifier of the individual so as toprovide two-factor authentication of the individual.
 14. The system ofclaim 13, wherein the password authenticated key exchange circuit isfurther configured to: encrypt a biometric sample captured from theindividual using the symmetric encryption key; and transmit theencrypted biometric sample to the provider computing system, theprovider computing system configured to decrypt the encrypted biometricsample and match the decrypted biometric sample with a biometricreference template associated with the individual so as to providethree-factor authentication of the individual.
 15. The system of claim13, further comprising a device control circuit operatively coupled to aphysical assistance device, the device control circuit configured to:disable operation of the physical assistance device; and enableoperation of the physical assistance device in response to the passwordauthenticated key exchange circuit authenticating the provider computingsystem.
 16. The system of claim 12, wherein the encrypted challengeresponse relates to an image, wherein the system further comprises anetwork interface circuit configured to transmit second neural signalsrepresenting the image, and wherein the password authenticated keyexchange circuit is further configured to receive an input from theindividual signifying that the image is an expected image associatedwith the provider computing system so as to verify of the decryptedchallenge response.
 17. A non-transitory computer-readable media havingcomputer-executable instructions embodied therein that, when executed bya computing system, causes the computing system to perform operationscomprising: extracting movement intentions of an individual from neuralsignals; mapping the movement intentions to a character string; andgenerating a symmetric encryption key using the character string as aninput to a key exchange protocol.
 18. The non-transitorycomputer-readable media of claim 17, wherein the operations furthercomprise: establishing an authenticated communication channel betweenthe computing system and a provider computing system by using thecharacter string as an input to a password authenticated key exchangeprotocol.
 19. The non-transitory computer-readable media of claim 18,wherein the establishing the authenticated communication channelcomprises: encrypting credentials of the individual and a challengequestion using the symmetric encryption key; transmitting the encryptedcredentials, the encrypted challenge question, and a cleartextidentifier of the individual to the provider computing system, theprovider computing system configured to authenticate the individualusing the encrypted credentials, the encrypted challenge question, andthe cleartext identifier of the individual; retrieving an encryptedchallenge response; decrypting the encrypted challenge response usingthe symmetric encryption key; and verifying the decrypted challengeresponse so as to authenticate the provider computing system.
 20. Thenon-transitory computer-readable media of claim 18, the operationsfurther comprising: retrieving a biometric sample captured from theindividual; encrypting the biometric sample using the symmetricencryption key; and transmitting the encrypted biometric sample to theprovider computing system, the provider computing system configured todecrypt the encrypted biometric sample and match the decrypted biometricsample with a biometric reference template associated with theindividual so as to provide two-factor authentication of the individual.